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Constructing and Counting Even- Variable 
Symmetric Boolean Functions with 
Algebraic Immunity not Less Than d 

Yuan Li, Hui Wang and Haibin Kan 
Abstract 



In this paper, we explicitly construct a large class of symmetric Boolean 
' functions on 2k variables with algebraic immunity not less than d, where 

integer k is given arbitrarily and d is a given suffix of k in binary repre- 
sentation. If let d — k, our constructed functions achieve the maximum 
algebraic immunity. Remarkably, 2^ loS2 fe J+ 2 symmetric Boolean functions 
on 2k variables with maximum algebraic immunity are constructed, which 
' is much more than the previous constructions. Based on our construction, 

. a lower bound of symmetric Boolean functions with algebraic immunity 

not less than d is derived, which is 2 Llog2 dJ+2(fc-<i+i) Ag f ar ag we 
q ' this is the first lower bound of this kind. 

1 Introduction 

| Algebraic attack has received a lot of attention in studying security of the cryp- 

tosystems. If a Boolean function used in stream ciphers has low degree anni- 
hilators, it will be easily attacked. This adds a new cryptographic property for 
designing Boolean functions to be used as building blocks in cryptosystems 
which is known as algebraic immunity (AI). Since then algebraic immunity, as 
a property of Boolean functions, is widely studied. 

Constructing Boolean functions with high AI is interesting and important. 
A lot of general methods to construct Boolean functions with maximum alge- 
braic immunity are proposed [4J, [5[, [10]. Results in [5[, [11] show that the 
number of general Boolean functions achieving maximum algebraic immunity 
is large. 

Among all Boolean functions, symmetric Boolean function is an interesting 
class and their properties are well studied [9], [12], [13)- In lTT2l , fl3l , the au- 
thors proved that there are only two symmetric Boolean functions on odd num- 
ber of variables with maximum AI. In Braeken's thesis [ 15 [, some symmetric 
Boolean functions on even variables with maximum AI are constructed. In [8|, 
more such functions are constructed, which generalizes results in 1151 . In fl4l . 
by using weight support technique, all (2 m + Invariable symmetric Boolean 
functions with submatrimal algebraic immunity 2 m_1 are constructed. 

In this paper, we focus on constructing symmetric Boolean functions with 
high algebraic immunity on 2k variables, where k is given arbitrarily. For a 
given d, where d is a suffix of k in binary representation, we construct a large 
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class of Boolean functions with AI not less than d. Particularly, if let d = k, 
our constructed Boolean functions achieve maximum AI. Comparing with all 
the previous constructions of this kind, the number of our constructed Boolean 
functions is much larger. Furthermore, a lower bound of symmetric Boolean 
functions with algebraic immunity not less than d is derived. 

2 Preliminaries 

Let F 2 be the finite field with only two elements. To prevent confusion with the 
usual sum, the sum over F 2 is denoted by ©. The Hamming weight of a vector 
a = (ax, • ■ • j ce n ) is defined by wt(a) = Y^i=i a i- 

A Boolean function on n variables may be viewed as a mapping from F 2 
into F2. We denote by B n the set of all n-variable Boolean functions. The Ham- 
ming weight wt(/) is the size of the support supp(/) = {x e F 2 | f(x) = 1}. 
The support of / is also called the on set of /, which is denoted by 1/. On the 
contrary, the off set of / is the set {x £ F 2 | f(x) = 0}, which is denoted by 0/. 
Any / 6 £>„ can be uniquely represented as 

n 

f(x 1 ,x 2 ,.-.,x n ) = (J) c Q JJx" 1 = (J) c a x a , (1) 

qGFJ i=l a6FJ 

This kind of expression of / is called the Algebraic Normal Form(ANF). The 
algebraic degree of / is the number of variables in the highest order term with 
nonzero coefficient, which is denoted by deg(/). 

A Boolean function is said to be symmetric if its output is invariant under 
any permutation of its input bits. For a symmetric Boolean function / on n 
variables, we have 

f(xi,X 2 ,.-.,X n ) = f (2^(1), X a (2),..., 0V(n)) (2) 

for all permutations a on {1, 2, . . . , n}. 

This equivalently means that the output of / only depends on the weight of 
its input vector. As a consequence, / is related to a function vj : {0, 1, . . . , n} 1— > 
F 2 such that /(a) = u/(wt(a)) for all a e The vector v f = (v f (0),v f (l), . . ., 
Vf(n)) is called the simplified value vector(SVV) of /. The set of all n-variable 
Boolean functions are denoted by SB n - 

Proposition 2.1. J[9]f A Boolean function f onn variables is symmetric if and only if 
its ANF can be written as follows: 

n n 

/(z 1 ,x 2 ,..., aSn ) = ©A / (i) x a = ©A / (»K, (3) 

i=0 aGFJ t=0 

wt(a)—i 

where af is the elementary symmetric polynomial of degree i on n variables. 

Then, the coefficients of the ANF of / can be represented by a (n + l)-bit 
vector, Xf = (A/(0), A/(l), . . . , A/(n)), called the simplified algebraic normal 
form(SANF) vector of /. 
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Proposition 2.2. [9] Let f be a symmetric Boolean function on n variables. Then, its 
simplified value vector Vf and its simplified ANF vector A / are related by 

«/(*) = M*) and A /M = 0^/( fc )> W 
for all i = 0,1, ... ,n. 

Definition 2.3. [7/ For a given f e B n , a nonzero function g G £>„ is caZ/ed an 
annihilator off if fg = and f/ze algebraic immunity(AI) off, is the minimum degree 
of all annihilators of f or f © 1, w/iz'c/z is denoted by Al(f). 

Note that AI(/) < deg(/), since /(/ © 1) = 0. Therefore, a function with 
high AI will not have a low algebraic degree. It was known from [6] that for 
any/eS„,AI(/)< 

Two Boolean functions / and g are said to be affine equivalent if there exist 
A G GL n {¥2) and b G F£ such that g(x) — f{xA + b). Clearly, algebraic degree, 
algebraic immunity are affine invariant. 

The binary representation of an integer a is denoted by (a m a m _i . . . ao)2/ 
such that 

m 

a = ^2 ai 2\ (5) 

i=0 

If integer b is ended by ai<iQ in binary, we often denote by b = (*aido)2/ where 
* represents some 01 string. For convenience of the description in the sequel, 
we introduce the following notation. 

Definition 2.4. Let a, b be two nonnegative integers with their binary representations 
(a m a m -i . . . 00)2 and [b n b n ~i ■ ■ ■ bo)%, m < n. If a, = bifor all i = 0, 1, . . . m, we 
say a is a suffix ofb in binary and denote by a -<' b. Furthermore, if a < b, we say a is 
a proper suffix ofb, which is denoted by a -<' b. 

3 Main Results 

Lemma 3.1. Let f,g e B n , integer < d < n. If f(a) — g((3) for all 

a<wt(fs)<d 

«gF; with wt(a) < d, then g(fj) = qX/3 f {at) for all/3 G F£ with wt((3) < d. 
Proof. By direct computation, for any /3 G FJ? with wt(/3) < d, we have 

©/(«) = 005(7) 

= 0(«(7) 1) 

= 02 wt( ^- wt ^o(7)-5(/3), 

which completes our proof. □ 

Lemma 3.2. Let f,g G B n , integer < d < n. If f{a) — Ifor all a G F£ satisfying 
< wt (a) < d and g{j3) — Ifor all (3 G F^ satisfying n — d < wt{j3) < n, then both 
f and g do not have annihilators with degree less than or equal to d. 
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Proof. Let g' = g(xi®l, x 2 (B, x n ®l), which takes 1 on all points with weight 
not exceeding d. Since g' is affine equivalent to g, Al(g') = Al(g). Therefore, it 
suffices to prove / has no annihilator with degree not greater than d. 

Assuming there is a function h 6 B„ such that fh = and deg(/i) < d, we 
will show that h = 0. Write h in ANF 

h = c a x . 

Since for any a e ¥ 2 with wt(a) < d, we have /i(a) = 0, i.e., 0«_< a = 0. By 
Lemma [37T1 for any /3 e Fg with wt(/3) < d, = qX ^(a) = 61 Combining 
with dcg(/i) < d, we conclude h = 0. □ 

The following theorem is our main result, which gives a sufficient condition 
for a function / € <S£>2fc to have algebraic immunity not less than d, where d is 
a suffix of k in binary. 

Theorem 3.3. Let f G S2?„, n = 2fc, d -<' k and d > 2. If_/br any integer i,j with 
< i < d — 1, n — d+ 1 < j < n and 

k - i = j - k = 2* mod 2 t+1 (6) 

for some nonnegative integer t, Vf(i) — Vf(j) © 1 holds, then AI(f) > d. 

Proof. To prove AI(/) > d, we need to show / or / 1 has no annihilator with 
degree less than d. Without loss of generality, we only need to prove / has no 
annihilator with degree less than d, because it also satisfies the conditions in 
this theorem by replacing / by / © 1. 

Assume there is a function g e B n , such that fg = and deg(g) < d — 1, our 
aim is to show g = 0. Write g in ANF 

g = c a x . 

Since deg(g) < d — 1, we have c a — for all wt(a) > d. If f(a) — 1, then 
g(a) = 0, which is 

cp = 0. (7) 

0<wt(/3)<d-l 

Denote equation 01 on point a by s a = 0. By Lemma 13.11 we know cp = 
ffia^^Sa for wt(/3) < d — 1. We need to prove that all the equations s a = 0, 
a E 1/, on J2i=o (?) var i a bles cp, wt(/3) < d — 1, has only zero solution. 

To assist our proof, we introduce a decomposition of integers according to 
k. Let k = (k m k m -i . . . k ) 2 , then 

f {x|x-fc = 2P mod 2P+ 1 }, 0<p<m, 
p ~\ {x \x-k = mod 2 m+1 }, p = m+l. W 

In other words, C p , < p < m contains all integers with binary representa- 
tion (*fcpfc p „i • • • k ) 2 and C m+ \ contains all integers with binary representation 
(*k m k m -i ■ ■ ■ k ) 2 . It's easy to see C p , p = 0, 1, . . . , m + 1 is a decomposition of 
all integers and [0, d - 1] U [n - d + 1, n] C U^ 2 dJ C*. 
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For convenience of the following description, we define some collections of 
equations, say A{ , Bi and Ei, where 

Ai = {s a =0\a€ F' 2 \ wt(a) G [0,d— 1] and wt(a) G C»}, 

Bi = {s a = | a G F£,wt(a) G [n — d + 1, n] andwt(a) G C}, (9) 

/••'. (.»,.//.). 

for i = 0, 1, ... , [log 2 d\ . Now, we use math induction to prove that A or B , 
union A\ or B\, . . ., union A p or B p , denoted by Uf_ Q Ei, has the same solution 
space with Uf =0 A j; , i.e., span(uf =0 £i) = span(uf =0 Ai), for p = 0, 1, . . . , |tog 2 d\ . 
The induction parameter is p. 

Basis step: p = 0. First, we will prove that the solution space of Ao is a 
subspace of that of Bo by representing all the equations in Bo as linear combi- 
nations of equations in Aq. Take an arbitrary equation s a = in Bo, expanding 
s a as follows, 

Sa = (J) Cp = (J) (J) S 7 

0<wt(/3)<d-l 0<wt(/3)<<i-l 

= e (*r e i) 

0<wt(7)<d-l 0<wt(£)<d-l 

- © ^"i ,<,, ( wi<a, r l<7) ))- ™ 

7^a \ z=0 ^ ' / 

0<wt(7)<ci-l 

Considering s 7 in the (flOb , where wt(7) ^ Co, we want to show the coeffi- 
cient of s 7 is 0. By Lucas' formula, we know ^ wt ( Q )- wt (7)~j _ i over jp 2 if anc [ 
only if i ^ wt(a) — wt(7). Note that wt(a) — wt(7) = (*fco)2 — (^^0)2 = (*1)2 
and d— 1— wt(7) = (*fc )2 — 1 — (*fco)2 = (* 1)2- Hence, if i = (• • • £2*1.0)2 satisfies 
i ^ wt(a) — wt(7) and i < d — 1 — wt(7), then i + 1 = (• • • £2*1.1)2 also satisfies 
the above constraints and vice versa. We conclude that an i ended by in its 
binary representation satisfying i < wt(a) — wt(7) must correspond with an- 
other i ended by 1 in the inner sum of (GJ. Thus, 0^o~ wt(7) { wt ( a ^ wt ^) = 
when 7 Co, and all equations in Bo could be represented as linear combina- 
tions of those in Ao- Therefore a solution of equations Ao is also a solution of 
Bo, which implies the solution space of Ao is a subspace of that of Bo- 

By Lemma 13.21 it's easy to see equations in both Ao and Bo are linearly 
independent. Since they have the same size, the dimensions of both solution 
spaces are the same. Therefore, the solution spaces of Ao and Bo are the same, 
which completes the basis step for p = 0. 

Induction step: assuming the proposition is true for p = q — 1, q > 1, we 
will prove it's also true for p = q. 

First, we will prove the solution space of L>1 =0 Ai is a subspace of that of 
U*~gAi U B q . Taking an arbitrary s a = in B q , we want to show s a can be 
represented as linear combinations of equations in Uf_ Q Ai. Similar with the 
method in basis step, expand s a as 

© (»/"© 1> ( w%) : wt(7) )Y ("> 

7^a V i=0 ^ ' / 

0<wt(7)<d-l 
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The key is to show ©fr o 1_wt(7) ( wt («)T wt ^>) = when wt( 7 ) £ Uf =0 Q. Take 
an arbitrary 7 such that wt( 7 ) ^ U?_ Ci. Noting that wt(a) = (*k q k q -i ■ ■ ■ £0)2, 
wt( 7 ) = (*fc ? fc ? _i . . . fc ) 2 and d = (fcLio g2 d\ ' ' ' fcgfcg-i ■ ■ ■ ^0)2 - 1, we have 
wt(a) — wt( 7 ) = -jy) 2 and d — 1 — wt( 7 ) = (*1 .L_^A) 2 . It's easy to 

g times g times 

see that if there is an i = (*0i g _i ■ ■ • io) 2 , < i < d — 1 — wt( 7 ), satisfying 
( wtW j WtW ) = 1, i.e., * r< wt(a) - wt( 7 ), then i + 2« = (*lt,_ x • • • i ) a also satis- 
fies i + 2 q ^ wt(a) — wt( 7 ) and i + 2 q < d—1— wt( 7 ) and vice versa. Since this 
correspondence is one on one, the l's in the inner sum of ((Till can be divided 
into pairs. Therefore, 0^T O 1 ~ W ^ 7 ' ) ( wt ( Q )~ wt (T)) _ q anc [ a vj e q Ua tions in B q can 
be written as sums of equations in U?_ Aj. We conclude that the solution space 
of Uf =0 A is a subspace of that of Uf^A, U B q . 
By induction hypothesis, 

span(U^ 1 A i U B q ) = span(U*r o 1 B l U B,) = span(U? =0 B;). 

And by Lemma[3]2j it's not hard to see there is no linear dependence in U Q =0 Bi 
as well as in Uf =0 A- Note that | Uf =0 A»| = | UfL B 4 |, the dimensions of the 
solution spaces of Uf =0 A and U?J7g A U B q are the same. Combining with the 
fact that solution space of Uf =0 A is a subspace of that of U'JTq At U we claim 
these two solution spaces are exactly the same. Using induction hypothesis 
again, we have 

span(U? =0 Ai) = span(uf~Q A U B q ) 
= span(U^ 1 £; j U B q ) 
= spanOJ?^), 

which completes the induction. 

Now, let's go back to the original problem that proving g = 0. By the condi- 
tions in this theorem, for any a 6 F£ , wt(a) £ Ct D [0, d — 1], we have f(a) — m; 
for any a £ FJ^W^o:) £ Ctn[n— <i+l,n],wehave/(a) = m©l, where m = Oor 
1. If m = 1, we could list equations on the point a, where wt(a) £ C t PI [0, d— 1], 
which is exactly the equations set A t . If m = 0, we could list equations on the 
point a, where wt(a) £ Ct H [n — d + 1, n], which is exactly the equations set 
B t . If let t run over from to Ll°g 2 d\ , we obtain equations u|1°q 2 d ^ 23$ , which 
is equivalent to u}1°q 2 ^ A- By Lemma [3721 u}^°q 2 ^ A; has only zero solution, 
thus u[l° g2 dl E t has only zero solution. Therefore, .9 = and the proof is com- 
plete. □ 

Construction 3.4. Given two positive integers k, d, where d <' k and 2 < d < k, we 
construct a function f in SB2k as follows. 

• Choose [log 2 d\ +1 numbers in F 2 arbitrarily, denoted by m , mi, . . -,m^ og2 rf j . 

• Define a symmetric Boolean function f through it's simplified value vector, 
which is 

( mt, ieC t n[o,d-i], 
Vf(i) = I m t ®l, ieC t r\[n-d+l,n], (12) 
I or 1 . otherwise. 
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By Theorem l3.3l AI(/) > d for / in Construction l3.4l We present an example 
here to illustrate our construction. Let k = 6 = (110)2 and d — k. We have 
C = {1, 3, 5, 7, 9, 11, . . .}, Ci = {0, 4, 8, 12, . . .} and C* 2 = {2, 10, . . .}. Therefore, 
constraints v f {l) = v f (3) = v f (5) = v f (7) 8 1 = u/(9) 1 = v f (ll) © 1, 
u/(0) = u/(4) = u/(8)8l = w/(12)©l andw/(2) = u/(10)©l must be satisfied. 
Let mo, TOi , ??i 2 € F 2 take over all the 8 combinations, we obtain the following 
8 functions with maximum algebraic immunity in Table 1. 



Table 1 : Functions in SB$ with maximum AI 



TO0TO1TO2 


SW:«/(0)...«/(12) 


SANF:A/(0)...A/(12) 


000 


0000000111111 


0000000110000 


000 


0000001111111 


0000001010000 


001 


0010000111011 


0011001010000 


001 


0010001111011 


0011000110000 


010 


1000100101110 


1111000110000 


010 


1000101101110 


1111001010000 


011 


1010100101010 


1100001010000 


011 


1010101101010 


1100000110000 


100 


0101010010101 


0100000110000 


100 


0101011010101 


0100001010000 


101 


0111010010001 


0111001010000 


101 


0111011010001 


0111000110000 


110 


1101110000100 


1011000110000 


110 


1101111000100 


1011001010000 


111 


1111110000000 


1000001010000 


111 


1111111000000 


1000000110000 



Corollary 3.5. The number of symmetric Boolean functions on 2k variables, with 
algebraic immunity greater than or equal to d, d>2 and d k, is not less than 

2 Llog 2 dJ+2(fe-d+l)_ ^) 

Proof. We prove this by enumerating all the functions in Construction l3.4l There 
are [log 2 <^J + 1 numbers on F2 could be chosen arbitrarily. To show different 
choices will generate different functions, it's sufficient to prove Ct l~l [0, d— 1] 7^ 
0. If < t < |_l°g2 — 1' it' s obvious that (k t ■ ■ ■ k\k a )2 £ Ct and (k t ■ ■ ■ fcifc )2 < 
( fc Li°g 2 d\ ■ ■ ■ kik )2 = d. If t = [log 2 d\,(kf- hk ) 2 6 C t . Because k t = 1, we 
have (kf ■ ■ ^1^0)2 < d. 

Since the number of all choices for mo, mi, ... , m[iog 2 d\ is 2 L lo S2 d l+ 1 and 
Vf(i) could take either or 1 when i e [d, n — d], the total number of such of / 
can be constructed is 

2Llog 2 rfj+l+n-d-d+l _ 2U°S2 rfj+2(fc-d+l) 

which completes our proof. □ 

We present another example here to illustrate our counting result. Let k = 

13 = (1101)2, d = 5 = (101)2 k. Hence C = {0, 2, 4, 6, . . .}, d = {3, 7, . . .} 
and Ci = {1,9,...}. For arbitrary to , mi, m 2 G F 2 , m = Vf(0) = w/(2) = 
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Vf {A) = v s {2&) © 1 = u/(24) © 1 = v f {22) © 1, mi = u/(3) = u/(23) © 1 and 
m 2 = Vf(l) = Vf(25) © 1 must be satisfied, while the others bits could take or 
1 arbitrarily. Let m , mi, m 2 run over all 8 combinations, 2 20 functions e <S£> 26 
are constructed and listed in Table 2. 



Table 2: Functions in SB26 with AI not less than 5 



momim.2 


SVV:v f (0)v f (l)...v f (26) 


000 


00000???- • 


• ???11111 


001 


01000???- • 


■???11101 


010 


00010???- • 


•???10111 


011 


01010???- • 


•???10101 


100 


10101???- 


•???01010 


101 


11101???" 


•???01000 


110 


loin???- 


•???00010 


111 


11111???. . 


• ???00000 
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